Type ahead for the master password

In my opinion we should not allow any kind of type ahead or keyboard shortcut for typing the master password. It should always be entered by the user considering it is the MASTER KEY.

Thoughts?

Thanks,
Abhijit


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • I've been using 1password in Windows for almost a year and have never seen any sort of typeahead, auto type, keyboard shortcut, autocomplete, or any other things of that nature, when typing my 1password master password. In what circumstances do you think this is happening?

  • bundtkatebundtkate

    Team Member

    You can paste your Master Password, @Abhijit, and I don't see that option going anywhere. The overwhelming advice from security professionals it to allow pasting passwords. Although this advice is largely given to ensure tools like 1Password can be used on websites, the supposed protections those disabling paste claim it provides have largely been dismissed as myths by the security community at large. We see no cause to potentially increase friction for our customers when we can't point to any security gain from doing so.

    As for "type ahead" I'm not sure I can cover all possibilities there, but I do use TextExpander frequently and it cannot expand snippets for me in the Master Password field. In general, though, the real danger comes from someone else knowing your Master Password, not that they have options to enter it more quickly. We protect the Master Password field from tools like TextExpander not because we don't want them to write to your Master Password field, but because we don't want them to read what you write there.

    The real solution to problems like brute force attacks is not to do things like disabling paste, but to protect your computer from those types of compromises in the first place. Even with paste disabled in the Master Password field, an attacker with access to your computer has access to your encrypted data. If they want to brute force your Master Password to unlock that data, they can (and most likely would) do so without involving 1Password at all. For this reason, any protections put on the Master Password field would amount to security theater rather than providing any genuine protection. Security theater can not only create unneeded friction, but also lead folks to make less secure choices making such features harmful rather than helpful. It is thus best avoided.

    Of course, that's not to say your concerns are unreasonable. Like @fritzophrenic mentioned, I'd be interested to know what exactly you're seeing work here that you feel shouldn't. I've tried to cover these types of concerns in general here and I hope it's been helpful, but if you can give more detail about what's specifically bothering you, I'd be happy to address it directly as well. :chuffed:

    Finally, I'd encourage you to check out the blog post I linked above from the UK government's Cyber Security Centre, as well as the post from Troy Hunt they link at the end. Even if neither directly addresses your question here, both have some great general info about why it's a best practice to allow pasting. I see you here asking these sorts of great questions quite often, so I'd wager you'd find both of interest, even if they don't directly speak to your concern here. :+1:

  • AbhijitAbhijit
    edited July 2019

    Thank you for detailed reply @bundtkate!

    "We protect the Master Password field from tools like TextExpander not because we don't want them to write to your Master Password field, but because we don't want them to read what you write there."

    • This is not true. I use PhraseExpress. I have a shortcut key for Master Password like ".\". Our application allows it to replace it with master password everywhere except one screen which blanks out the complete screen for 1Password Master Password entry.

    Thanks,
    Abhijit

  • bundtkatebundtkate

    Team Member
    edited July 2019

    So in this case, you're right @Abhijit. Based on Text Expander's behavior, I assumed we use something similar to Mac's Secure Input on Windows, but that's apparently not an option and TextExpander's failure is wholly unrelated. I'm sorry – I should know better, but my observations were very much telling me that TextExpander couldn't read my abbreviation so it seems a very reasonable assumption. Everything I mentioned is accurate for 1Password for Mac and the claims about allowing paste stand, but on Windows you would need to use the Secure Desktop option to get similar protections to what Secure Input provides on Mac. I'd suggest trying you tool there – either click the shield icon on the unlock screen or press Ctrl + Shift + Enter with the Master Password field focused to unlock on a Secure Desktop then try using PhraseExpress. Let me know what you find.

    With that said, I'd strongly discourage using such a tool to type your Master Password regardless. By setting up a snippet or shortcut for your Master Password, you're necessarily going to end up sharing your Master Password with that tool so it knows what to type or paste. You're possibly even syncing it off to their servers, if they have a sync option for your snippets. We don't even want you sending your Master Password to us – only you should know it. PhraseExpress may be a very secure tool, but regardless, sharing it with any service makes it more vulnerable to being compromised. By keeping your Master Password private, you're ensuring that no matter whose servers might be breached, your Master Password is still safe. Secure Desktop should have you covered on preventing expansion – but I'd still suggest removing your Master Password from PhraseExpress and changing it. Keeping your Master Password to yourself is always the best practice. :+1:

  • Thanks @bundtkate! I have not shared my master password with any tool fortunately. I just tested it once for 1Password to see if it allows and do we have a risk exposure in that case. The objective was to make 1Password better and better.

    Note that shield icon is not present in every use case where we ask for the master password for the extensions, 1PX etc.

    Thanks,
    Abhijit

  • bundtkatebundtkate

    Team Member

    The shield is available in the companion extension, @Abhijit, but you're right it won't be in 1Password X. 1Password X is totally separate from the desktop app and lives in your browser, so unless and until it integrates with the desktop app, it won't have access to some features specific to the desktop app like Unlock on Secure Desktop. That said, 1Password X has some protections that are unique to the browser environment that may mitigate some of your concerns there as well. From the perspective of brute-force attacks, though, the same advice applies to 1Password X as 1Password for Windows – preventing text expansion and paste in an effort to slow down such attacks doesn't provide any genuine protection there either and your best defense remains a strong Master Password that's well-protected and using a machine that's well-guarded from malware. :chuffed:

  • ag_anaag_ana

    Team Member

    On behalf of bundtkate, you are welcome!

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.